DNSCrypt / DNSCurve

I understand that you plan on supporting DNSSEC out of the box, but is there any chance that you are considering adding support for DNSCrypt or DNSCurve?

1 Like

Still no information about this?

Did anyone try to implement this feature as explained here:

My personal opinion is that it’s not useful. I would prefer to have the standard DNS-over-TLS (RFC 7858) .

And a public resolver running DNS-over-TLS at turris.cz would be nice, too (and a pony, please :yum:)

I have managed to install dnscrypt. It’s easy:

  1. install it & dnsmasq full
  2. Disable resolver service (luci)
  3. Configure dnsmasq, make it listen to port 53

config dnsmasq
option domainneeded '1'
option boguspriv '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
# option resolvfile '/tmp/resolv.conf.auto'
option localservice '1'
# option port '0'
option nonwildcard '0'
list server ''
option dnssec '1'
# option dnsseccheckunsigned '1'

Stéphane, CZ.NIC plan to provide a public DNS-over-TLS service as soon there’s support for client DNS-over-TLS in kresd (that’s planned to happen this year).


Are there any updates on this? According to https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Implementation+Status knot already has all the components besides “TLS DNSSEC Chain Extension”.

A little bit of background: my ISP intercepts all DNS traffic and tampers with resolution. I would prefer to address this problem without adding DNSCurve/DNSCrypt which is not supported (or going over a VPN and paying the performance penalty).

Great work!

1 Like

There is still support in kresd for DNS over TLS on client side only ATM. (EDIT: by that I mean kresd can serve TLS but not forward over TLS yet.) CZ.NIC doesn’t provide TLS on the public service yet (easy to try).

Plans tend to change, depending on priorities. Honestly, it seems well possible that the server-side TLS support might not land this year. (I personally have no idea about plans for the public service, unfortunately.)

Is it possible to have my own resolver running on another externally hosted VPS and have kresd be a client (with caching) to that resolver? Please advise.

Caching when forwarding is only done with kresd >= 1.3.0, and that’s not yet contained in current stable or RC Omnia. The STUB and FORWARD policies are described in kresd docs.